/oidc/callback: set CSP (#1679)

alxndrsn · web-flow · commit 373fd05b2c39 · 2025-11-18T11:24:10.000+03:00
Generate the proper content-hash for the page's inline `<style>` element. Ref getodk/central#1235 Ref getodk/central#1478
diff --git a/lib/resources/oidc.js b/lib/resources/oidc.js
@@ -13,6 +13,8 @@
 // OpenID Connect auth handling using Authorization Code Flow with PKCE.
 // TODO document _why_ auth-code-flow, and not e.g. implicit flow?
 
+const { createHash } = require('node:crypto');
+
 const { generators } = require('openid-client');
 const config = require('config');
 const { parse, render } = require('mustache');
@@ -51,38 +53,42 @@ const callbackCookieProps = {
   path: '/v1/oidc/callback',
 };
 
+const style = `
+  #container { text-align:center }
+
+  .lds-spinner { display:inline-block; position:relative; width:80px; height:80px }
+  .lds-spinner div { transform-origin:40px 40px; animation:lds-spinner 1.2s linear infinite }
+  .lds-spinner div:after {
+    content:" "; display:block; position:absolute; top:3px; left:37px;
+    width:6px; height:18px; border-radius:20%; background:#000;
+  }
+  .lds-spinner div:nth-child(1) { transform:rotate(0deg); animation-delay:-1.1s }
+  .lds-spinner div:nth-child(2) { transform:rotate(30deg); animation-delay:-1s }
+  .lds-spinner div:nth-child(3) { transform:rotate(60deg); animation-delay:-0.9s }
+  .lds-spinner div:nth-child(4) { transform:rotate(90deg); animation-delay:-0.8s }
+  .lds-spinner div:nth-child(5) { transform:rotate(120deg); animation-delay:-0.7s }
+  .lds-spinner div:nth-child(6) { transform:rotate(150deg); animation-delay:-0.6s }
+  .lds-spinner div:nth-child(7) { transform:rotate(180deg); animation-delay:-0.5s }
+  .lds-spinner div:nth-child(8) { transform:rotate(210deg); animation-delay:-0.4s }
+  .lds-spinner div:nth-child(9) { transform:rotate(240deg); animation-delay:-0.3s }
+  .lds-spinner div:nth-child(10) { transform:rotate(270deg); animation-delay:-0.2s }
+  .lds-spinner div:nth-child(11) { transform:rotate(300deg); animation-delay:-0.1s }
+  .lds-spinner div:nth-child(12) { transform:rotate(330deg); animation-delay:0s }
+  @keyframes lds-spinner { 0% { opacity:1 } 100% { opacity:0 } }
+
+  .continue-message { opacity:0; animation: 1s ease-in 10s 1 normal forwards fade-in; margin-top:1em }
+  @keyframes fade-in { from { opacity:0 } to { opacity:1 } }
+`;
+const styleHash = createHash('sha256').update(style).digest('base64');
+
 // id=cl only set for playwright. Why can't it locate this anchor in any other way?
 const loaderTemplate = `
   <!doctype html>
   <html>
     <head>
       <title>Loading... | ODK Central</title>
       <meta http-equiv="refresh" content="0; url={{nextPath}}">
-      <style>
-        #container { text-align:center }
-
-        .lds-spinner { display:inline-block; position:relative; width:80px; height:80px }
-        .lds-spinner div { transform-origin:40px 40px; animation:lds-spinner 1.2s linear infinite }
-        .lds-spinner div:after {
-          content:" "; display:block; position:absolute; top:3px; left:37px;
-          width:6px; height:18px; border-radius:20%; background:#000;
-        }
-        .lds-spinner div:nth-child(1) { transform:rotate(0deg); animation-delay:-1.1s }
-        .lds-spinner div:nth-child(2) { transform:rotate(30deg); animation-delay:-1s }
-        .lds-spinner div:nth-child(3) { transform:rotate(60deg); animation-delay:-0.9s }
-        .lds-spinner div:nth-child(4) { transform:rotate(90deg); animation-delay:-0.8s }
-        .lds-spinner div:nth-child(5) { transform:rotate(120deg); animation-delay:-0.7s }
-        .lds-spinner div:nth-child(6) { transform:rotate(150deg); animation-delay:-0.6s }
-        .lds-spinner div:nth-child(7) { transform:rotate(180deg); animation-delay:-0.5s }
-        .lds-spinner div:nth-child(8) { transform:rotate(210deg); animation-delay:-0.4s }
-        .lds-spinner div:nth-child(9) { transform:rotate(240deg); animation-delay:-0.3s }
-        .lds-spinner div:nth-child(10) { transform:rotate(270deg); animation-delay:-0.2s }
-        .lds-spinner div:nth-child(11) { transform:rotate(300deg); animation-delay:-0.1s }
-        .lds-spinner div:nth-child(12) { transform:rotate(330deg); animation-delay:0s }
-        @keyframes lds-spinner { 0% { opacity:1 } 100% { opacity:0 } }
-
-        .continue-message { opacity:0; animation: 1s ease-in 10s 1 normal forwards fade-in; margin-top:1em }
-        @keyframes fade-in { from { opacity:0 } to { opacity:1 } }
+      <style>${style}</style>
       </style>
     </head>
     <body>
@@ -170,6 +176,7 @@ module.exports = (service, __, anonymousEndpoint) => {
       // return redirect(303, nextPath);
       // Instead, we need to render a page and then "browse" from that page to the normal frontend:
 
+      res.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; style-src-elem 'sha256-${styleHash}'; report-uri /csp-report`);
       return render(loaderTemplate, { nextPath });
     } catch (err) {
       if (redirect.isRedirect(err)) {
diff --git a/test/e2e/oidc/playwright-tests/src/oidc-login.spec.js b/test/e2e/oidc/playwright-tests/src/oidc-login.spec.js
@@ -7,6 +7,8 @@
 // including this file, may be copied, modified, propagated, or distributed
 // except according to the terms contained in the LICENSE file.
 
+const assert = require('node:assert');
+
 const { test } = require('@playwright/test');
 
 const { frontendUrl } = require('./config');
@@ -16,6 +18,7 @@ const { // eslint-disable-line object-curly-newline
   assertLoginSuccessful,
   fillLoginForm,
   initTest,
+  sleep,
 } = require('./utils'); // eslint-disable-line object-curly-newline
 
 const password = 'topsecret123'; // fake-oidc-server will accept any non-empty password
@@ -43,6 +46,35 @@ test.describe('happy', () => {
   });
 });
 
+test('/callback should not trigger Content-Security-Policy', async ({ browserName, page }, testInfo) => {
+  // given
+  await initTest({ browserName, page }, testInfo);
+  // and
+  const cspViolations = [];
+  page.on('console', msg => {
+    if (msg.type() === 'error') {
+      const messageText = msg.text();
+
+      // This feels weak, but currently catches CSP violations on all of firefox, chromium & webkit.
+      if (messageText.match(/Content.Security.Policy/)) cspViolations.push(messageText);
+    }
+  });
+
+  // when
+  await page.goto(`${frontendUrl}/v1/oidc/login`);
+  await fillLoginForm(page, { username: 'alice', password });
+  // then
+  await assertLoginSuccessful(page, '/');
+  await assertLocation(page, frontendUrl + '/');
+
+  // when
+  // Race condition: console events seem to be asynchronous.  Not documented, but
+  // see: https://playwright.dev/docs/api/class-page#page-event-console
+  await sleep(1);
+  // then
+  assert.deepEqual(cspViolations, []);
+});
+
 test.describe('redirected errors', () => {
   [
     [ 'user unknown by central',                'bob',     'auth-ok-user-not-found' ],   // eslint-disable-line no-multi-spaces
diff --git a/test/e2e/oidc/playwright-tests/src/utils.js b/test/e2e/oidc/playwright-tests/src/utils.js
@@ -16,6 +16,7 @@ module.exports = {
   assertTitle,
   fillLoginForm,
   initTest,
+  sleep,
 };
 
 const assert = require('node:assert');
